FSSO dynamic address subtype
The Fortinet Single Sign-ON (FSSO) dynamic firewall address subtype can be used in policies that support dynamic address types. The FortiGate will update the dynamic address used in firewall policies based on the source IP information for the authenticated FSSO users.
It can also be used with FSSO group information that is forwarded by ClearPass Policy Manager (CPPM) via FortiManager, and other FSSO groups provided by the FSSO collector agent or FortiNAC.
To configure FSSO dynamic addresses with CPPM and FortiManager in the GUI:
- Create the dynamic address object:
- Go to Policy & Objects > Addresses > Create New > Address.
- For Type, select Dynamic.
- For Sub Type, select Fortinet Single Sign-On (FSSO). The Select Entries pane opens and displays all available FSSO groups.
- Select one or more groups.
- Click OK to save the configuration.
When the address table appears, there will be an error message for the address you just created (Unresolved dynamic address: fsso). This is expected because there are currently no authenticated FSSO users (based on source IP) in the local FSSO user list.
- Add the dynamic address object to a firewall policy:
- Go to Policy & Objects > IPv4 Policy.
- Create a new policy or edit an existing policy.
- For Source, add the dynamic FSSO address object you just created.
- Configure the rest of the policy as needed.
- Click OK to save your changes.
- Test the authentication to add a source IP address to the FSSO user list:
- Log in as user and use CPPM for user authentication to connect to an external web server. After successful authentication, CPPM forwards the user name, source IP address, and group membership to the FortiGate via FortiManager.
- Go to Monitor > Firewall User Monitor to view the user name (fsso1) and IP address.
- Go to Policy & Objects > Addresses to view the updated address table. The error message no longer appears.
- Hover over the dynamic FSSO address to view the IP address (fsso resolves to: 10.1.100.185).
To verify user traffic in the GUI:
- Go to Log & Report > Forward Traffic.
Details for the user fsso1 are visible in the traffic log:
- If another user is authenticated by CPPM, then the dynamic address fsso entry in the address table will be updated. The IP address for user fsso2 (10.1.100.188) is now visible:
If a user logs off and CPPM receives log off confirmation, then CPPS updates the FortiGate FSSO user list via FortiManager. The user IP address is deleted from the dynamic FSSO address, and the user is no longer be able to pass the firewall policy. |
To configure FSSO dynamic addresses with CPPM and FortiManager in the CLI:
- Create the dynamic address object:
config firewall address edit "fsso" set uuid 6f63c872-c90b-51e9-ebfd-16c18807c795 set type dynamic set sub-type fsso set fsso-group "cp_test_FSSOROLE" next end
- Add the dynamic address object to a policy:
config firewall policy edit 1 set name "pol1" set uuid 2b88ed8a-c906-51e9-fb25-8cb12172acd8 set srcintf "port2" set dstintf "port3" set srcaddr "fsso" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set fsso disable set nat enable next end
To verify user traffic in the CLI:
- Check the FSSO user list:
diagnose debug authd fsso list ----FSSO logons---- IP: 10.1.100.185 User: fsso1 Groups: cp_test_FSSOROLE Workstation: MemberOf: FSSO-CPPM cp_test_FSSOROLE Total number of logons listed: 1, filtered: 0 ----end of FSSO logons----
- Check the authenticated firewall users list:
diagnose firewall auth list 10.1.100.185, fsso1 type: fsso, id: 0, duration: 2928, idled: 2928 server: FortiManager packets: in 0 out 0, bytes: in 0 out 0 group_id: 2 33554433 group_name: FSSO-CPPM cp_test_FSSOROLE ----- 1 listed, 0 filtered ------
After user traffic passes through the firewall, the nu
diagnose firewall auth list 10.1.100.185, fsso1 type: fsso, id: 0, duration: 3802, idled: 143 server: FortiManager packets: in 1629 out 1817, bytes: in 2203319 out 133312 group_id: 2 33554433 group_name: FSSO-CPPM cp_test_FSSOROLE ----- 1 listed, 0 filtered ------